[U-Boot] [PATCH] RFC: Secure boot to U-Boot proper from SPL
Simon Glass
sjg at chromium.org
Sun May 1 19:45:22 CEST 2016
For those that have asked me about this, I have dug into the past and cannot
find my experiment. In the end I managed to reduce U-Boot proper down to
about 100KB of code (by dropping CONFIG_CMD and removing video and USB
drivers) and this was small enough to fit in SRAM. So SPL was not needed.
That said, my experiment drove a lot of the FIT and image refactoring and
I think it is actually pretty easy now to enable the full FIT implementation
in SPL, if your SoC limitations allow it.
In the case of Chrome OS, both U-Boot SPL and U-Boot proper are in read-only
memory so there is no need for this. But even then it is useful to be able
to have the smallest amount of non-updateable software, so quite a bit of
work was done (for pit/pi) to support loading a read-write 'U-Boot proper'
from SPL.
So I think it would be useful to support loading and verifying FIT images
with public key encryption in U-Boot, and fairly straightforward.
To help things along, here is a starting point for firefly-rk3288 (Thumb 2).
This board already uses device tree in SPL (perhaps bravely given the SoC
size limitations) so the additional code would be a few KB larger for
platforms that don't.
For firefly the code size increases from 26KB to 40 KB. There is a fair bit
of opportunity to reduce this if needed, for example by cutting out strings.
Please reply on this thread if you plan to pick this up and prepare a series
to enable this in U-Boot, to reduce duplicated work.
Signed-off-by: Simon Glass <sjg at chromium.org>
---
Kconfig | 8 ++++++++
common/Makefile | 3 ++-
common/image-fit.c | 2 +-
common/spl/spl.c | 1 +
configs/firefly-rk3288_defconfig | 5 +++++
drivers/Makefile | 1 +
include/configs/rk3288_common.h | 2 ++
lib/Makefile | 3 ++-
lib/rsa/rsa-verify.c | 5 ++++-
9 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/Kconfig b/Kconfig
index f53759a..4ffcc76 100644
--- a/Kconfig
+++ b/Kconfig
@@ -183,6 +183,10 @@ config FIT
verified boot (secure boot using RSA). This option enables that
feature.
+config SPL_FIT
+ bool "Support Flattened Image Tree in SPL"
+ depends on FIT
+
config FIT_VERBOSE
bool "Display verbose messages on FIT boot"
depends on FIT
@@ -205,6 +209,10 @@ config FIT_SIGNATURE
format support in this case, enable it using
CONFIG_IMAGE_FORMAT_LEGACY.
+config SPL_FIT_SIGNATURE
+ bool "Enable signature verification of FIT uImages in SPL"
+ depends on FIT_SIGNATURE
+
config FIT_BEST_MATCH
bool "Select the best match for the kernel device tree"
depends on FIT
diff --git a/common/Makefile b/common/Makefile
index b23f312..647a4ed 100644
--- a/common/Makefile
+++ b/common/Makefile
@@ -10,7 +10,6 @@ ifndef CONFIG_SPL_BUILD
obj-y += init/
obj-y += main.o
obj-y += exports.o
-obj-y += hash.o
ifdef CONFIG_SYS_HUSH_PARSER
obj-y += cli_hush.o
endif
@@ -150,6 +149,8 @@ obj-y += fb_nand.o
endif
endif
+obj-y += hash.o
+
# We always have this since drivers/ddr/fs/interactive.c needs it
obj-$(CONFIG_CMDLINE) += cli_simple.o
diff --git a/common/image-fit.c b/common/image-fit.c
index 25f8a11..12c94e1 100644
--- a/common/image-fit.c
+++ b/common/image-fit.c
@@ -1502,7 +1502,7 @@ void fit_conf_print(const void *fit, int noffset, const char *p)
static int fit_image_select(const void *fit, int rd_noffset, int verify)
{
- fit_image_print(fit, rd_noffset, " ");
+// fit_image_print(fit, rd_noffset, " ");
if (verify) {
puts(" Verifying Hash Integrity ... ");
diff --git a/common/spl/spl.c b/common/spl/spl.c
index 82e7f58..017ca82 100644
--- a/common/spl/spl.c
+++ b/common/spl/spl.c
@@ -345,6 +345,7 @@ void board_init_r(gd_t *dummy1, ulong dummy2)
int i;
debug(">>spl:board_init_r()\n");
+ fit_image_load(NULL, 0, NULL, NULL, 0, 0, 0, 0, NULL, NULL);
#if defined(CONFIG_SYS_SPL_MALLOC_START)
mem_malloc_init(CONFIG_SYS_SPL_MALLOC_START,
diff --git a/configs/firefly-rk3288_defconfig b/configs/firefly-rk3288_defconfig
index 0995f9b..596475c 100644
--- a/configs/firefly-rk3288_defconfig
+++ b/configs/firefly-rk3288_defconfig
@@ -69,3 +69,8 @@ CONFIG_USE_PRIVATE_LIBGCC=y
CONFIG_USE_TINY_PRINTF=y
CONFIG_CMD_DHRYSTONE=y
CONFIG_ERRNO_STR=y
+CONFIG_SPL_FIT=y
+CONFIG_SPL_OF_LIBFDT
+CONFIG_FIT_SIGNATURE=y
+CONFIG_SPL_FIT_SIGNATURE=y
+CONFIG_FIT=y
diff --git a/drivers/Makefile b/drivers/Makefile
index 6900097..baf9dee 100644
--- a/drivers/Makefile
+++ b/drivers/Makefile
@@ -36,6 +36,7 @@ obj-$(CONFIG_SPL_WATCHDOG_SUPPORT) += watchdog/
obj-$(CONFIG_SPL_USB_HOST_SUPPORT) += usb/host/
obj-$(CONFIG_OMAP_USB_PHY) += usb/phy/
obj-$(CONFIG_SPL_SATA_SUPPORT) += block/
+obj-$(CONFIG_SPL_CRYPTO_SUPPORT) += crypto/
else
diff --git a/include/configs/rk3288_common.h b/include/configs/rk3288_common.h
index 8a81397..39bffcb 100644
--- a/include/configs/rk3288_common.h
+++ b/include/configs/rk3288_common.h
@@ -11,6 +11,8 @@
#include <asm/arch/hardware.h>
+#define CONFIG_SPL_CRYPTO_SUPPORT
+
#define CONFIG_SYS_NO_FLASH
#define CONFIG_NR_DRAM_BANKS 1
#define CONFIG_ENV_SIZE 0x2000
diff --git a/lib/Makefile b/lib/Makefile
index 02dfa29..b3ea4bd 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -9,7 +9,6 @@ ifndef CONFIG_SPL_BUILD
obj-$(CONFIG_EFI) += efi/
obj-$(CONFIG_EFI_LOADER) += efi_loader/
-obj-$(CONFIG_RSA) += rsa/
obj-$(CONFIG_LZMA) += lzma/
obj-$(CONFIG_LZO) += lzo/
obj-$(CONFIG_ZLIB) += zlib/
@@ -49,6 +48,8 @@ obj-$(CONFIG_BITREVERSE) += bitrev.o
obj-y += list_sort.o
endif
+obj-$(CONFIG_RSA) += rsa/
+
obj-$(CONFIG_$(SPL_)OF_LIBFDT) += libfdt/
ifdef CONFIG_SPL_OF_CONTROL
obj-$(CONFIG_OF_LIBFDT) += libfdt/
diff --git a/lib/rsa/rsa-verify.c b/lib/rsa/rsa-verify.c
index 60126d2..341ce2e 100644
--- a/lib/rsa/rsa-verify.c
+++ b/lib/rsa/rsa-verify.c
@@ -200,7 +200,10 @@ int rsa_verify(struct image_sign_info *info,
}
/* Look for a key that matches our hint */
- snprintf(name, sizeof(name), "key-%s", info->keyname);
+ // FIXME
+ //snprintf(name, sizeof(name), "key-%s", info->keyname);
+ strcpy(name, "key-");
+ strcat(name, info->keyname);
node = fdt_subnode_offset(blob, sig_node, name);
ret = rsa_verify_with_keynode(info, hash, sig, sig_len, node);
if (!ret)
--
2.8.0.rc3.226.g39d4020
More information about the U-Boot
mailing list